Blog Viewer

Tech Tip - CA Privileged Access Manager: Cipher Suites supported by the Active Directory Target Application

By Ralf Prigl posted 04-12-2018 06:22 PM

  

Question

What Cipher Suites are supported by the Active Directory Target Application in PAM 3.1.1?

Answer

The AD target application only connects to the secure 636 port of AD domain controllers. A good way to see which Cipher Suites a secure client supports is to run a network trace somewhere along the network route, or on the AD controller itself, and inspect the "Client Hello" packet. An example is given below for a PAM 3.1.1 AD target application connecting to a domain controller using TLS 1.2:

 

Transmission Control Protocol, Src Port: 51577, Dst Port: 636, Seq: 1, Ack: 1, Len: 252

Secure Sockets Layer

    TLSv1.2 Record Layer: Handshake Protocol: Client Hello

        Content Type: Handshake (22)

        Version: TLS 1.2 (0x0303)

        Length: 247

        Handshake Protocol: Client Hello

            Handshake Type: Client Hello (1)

            Length: 243

            Version: TLS 1.2 (0x0303)

            Random: 5ab9029fceced8d64a24f35f13bfb9e02bdd8c57bdcb7318...

            Session ID Length: 0

            Cipher Suites Length: 100

            Cipher Suites (50 suites)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)

                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA256 (0x003d)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 (0xc026)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 (0xc02a)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x006b)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 (0x006a)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)

                Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA (0xc005)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA (0xc00f)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x0039)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA (0x0038)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 (0xc023)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)

                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA256 (0x003c)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 (0xc025)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 (0xc029)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x0067)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 (0x0040)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)

                Cipher Suite: TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA (0xc004)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA (0xc00e)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA (0x0032)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

                Cipher Suite: TLS_RSA_WITH_AES_256_GCM_SHA384 (0x009d)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02e)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 (0xc032)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x009f)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 (0x00a3)

                Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)

                Cipher Suite: TLS_RSA_WITH_AES_128_GCM_SHA256 (0x009c)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02d)

                Cipher Suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 (0xc031)

                Cipher Suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x009e)

                Cipher Suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 (0x00a2)

                Cipher Suite: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc008)

                Cipher Suite: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012)

                Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)

                Cipher Suite: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA (0xc003)

                Cipher Suite: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA (0xc00d)

                Cipher Suite: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x0016)

                Cipher Suite: TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA (0x0013)

                Cipher Suite: TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)

            Compression Methods Length: 1

            Compression Methods (1 method)

            Extensions Length: 102

            Extension: supported_groups (len=22)

            Extension: ec_point_formats (len=2)

            Extension: signature_algorithms (len=28)

            Extension: server_name (len=34)

0 comments
3 views